Telecoms security

Telecoms Security

Introduction

Telecoms security is a central element of the UK’s regulatory framework for communications providers. The Telecommunications (Security) Act 2021 (TSA) introduced a new statutory regime, supported by detailed regulations and a technical code of practice that increase the security obligations on public communications providers operating in the UK. The framework is supplemented by Ofcom’s monitoring and enforcement role and by wider Government measures designed to secure networks, supply chains and national infrastructure.

This page provides an overview of the regime and how it applies to providers operating in the UK. It is written for providers assessing the application of the TSA to their networks and operations, as well as organisations entering the UK market or engaging in transactions involving communications infrastructure or services.

Overview of the Telecoms Security Act

The TSA 2021 amended the Communications Act 2003 to introduce security duties for providers of public electronic communications networks and services. These duties require providers to:

  • take proportionate measures to identify and reduce security risks;
  • protect network and service availability;
  • prevent, remedy and mitigate security compromises; and
  • report certain incidents to Ofcom.

The Act gives the Secretary of State powers to issue designated vendor directions and to restrict the use of high-risk vendors. It also enhances Ofcom’s monitoring and enforcement powers, including the ability to require technical information and to conduct assessments.

Electronic Communications (Security Measures) Regulations 2022

The Electronic Communications (Security Measures) Regulations 2022 (ECSM Regulations) give effect to the TSA obligations by setting out specific, mandatory measures to be implemented by providers. These include measures relating to:

  • network architecture, design and segregation;
  • monitoring, logging, detection and response capabilities;
  • access controls and identity management;
  • supply chain risk management and vendor assurance;
  • software updates, patching and configuration management; and
  • asset inventories, documentation and continuity arrangements.

The Regulations apply to public communications providers meeting certain thresholds and are supported by detailed guidance in the Code of Practice.

Telecommunications Security Code of Practice

The Code of Practice issued under the TSA provides granular, technical guidance on the measures expected of providers. It reflects Government security principles and NCSC guidance, including:

  • secure network architecture and resilience principles;
  • security in virtualised and cloud-native network functions;
  • incident detection, response and recovery;
  • supply chain assurance and lifecycle management;
  • governance, policies and operational processes.

While not legally binding, the Code sets out what the Government considers appropriate to comply with the statutory duties. Ofcom uses the Code to inform its monitoring and enforcement activity.

Designated Vendor Directions

Under the TSA, the Secretary of State may designate a vendor as posing a security risk and issue binding directions restricting the circumstances in which that vendor’s goods, services or equipment may be used. The most significant example is the Huawei Designated Vendor Direction, which restricts the installation and use of Huawei equipment in certain parts of UK networks.

These directions form part of the wider set of national security and supply chain resilience measures that providers must consider as part of their compliance programme.

Relationship with Other UK Security Regimes

Telecoms security obligations interact with other UK regulatory frameworks, including:

Providers must consider the cumulative effect of these regimes when designing and operating networks in the UK.

Ofcom’s Role

Ofcom is responsible for monitoring and enforcing compliance with the TSA and ECSM Regulations. Its powers include:

  • requiring providers to provide information and documentation;
  • carrying out security assessments and audits;
  • issuing compliance notices;
  • imposing financial penalties; and
  • publishing guidance and technical expectations.

Ofcom’s approach is to work with providers to understand their networks and risk profiles while retaining the ability to use its enforcement powers where required.

How We Advise

We support clients at all stages of their compliance and governance programmes, including:

  • assessing whether the TSA and ECSM Regulations apply to a provider’s network, services or operations;
  • helping providers design and implement measures that align with statutory requirements, the Code of Practice and sector guidance;
  • advising on vendor management, procurement strategies and responses to designated vendor directions;
  • supporting incident response, reporting and liaison with Ofcom;
  • advising on transactions involving telecoms security considerations, including due diligence on networks, vendors and supply chains;
  • helping overseas providers understand the implications of operating networks or providing services in the UK.

Want to talk about telecoms security?

Book a call

Why Bratby Law?

Ofcom enforcement and compliance monitoring

Ofcom is responsible for monitoring and enforcing compliance with the security duties imposed by the TSA 2021 and the ECSM Regulations. Under section 105Z11 of the Communications Act 2003 (as inserted by the TSA), Ofcom may issue assessment notices requiring providers to submit to a technical assessment of their security measures. Ofcom may also issue enforcement notifications under section 105Z14 where it determines that a provider has contravened its security duties, and may impose financial penalties of up to 10% of relevant turnover or GBP 100,000 per day for continuing contraventions under section 105Z18.

Ofcom published its procedural guidance on telecoms security enforcement in 2023, setting out how it will investigate potential contraventions, the factors it will consider in determining whether to take enforcement action, and its approach to calculating penalties. Providers should be aware that Ofcom has signalled its intention to conduct proactive compliance assessments across the sector, targeting both Tier 1 and Tier 2 providers.

The TSA also requires providers to notify Ofcom of security compromises under section 105Z1 of the Communications Act 2003. The notification thresholds and reporting procedures are set out in the ECSM Regulations. Providers must notify Ofcom as soon as reasonably practicable and, for significant incidents, must also notify affected customers. The interaction between telecoms security incident reporting and data breach notification under UK GDPR Article 33 requires careful management, as the reporting obligations differ in scope, timing, and recipient.

How Bratby Law helps

Bratby Law advises communications providers, network infrastructure operators, and their investors on the full scope of telecoms security regulation under the TSA 2021 and the ECSM Regulations. Our managing partner previously worked at Oftel and held senior in-house regulatory roles at major UK telecoms operators, providing practical insight into how the regulator approaches security compliance.

Our work in this area includes:

  • Compliance gap analysis against the ECSM Regulations and the TSA Code of Practice
  • Advising on the scope of application of the TSA to specific network architectures, including virtualised and cloud-hosted infrastructure
  • Responding to Ofcom assessment notices and enforcement notifications under the TSA
  • Designated vendor direction compliance, including equipment removal planning and supply chain restructuring
  • Security compromise notification procedures and co-ordination with UK GDPR data breach reporting
  • Board and senior management briefings on telecoms security obligations and Ofcom enforcement risk
  • Due diligence on telecoms security compliance for M&A and infrastructure investment transactions

Book a call

For advice on telecoms security compliance, Ofcom enforcement, or designated vendor obligations, book a call with Rob Bratby.

FAQs

Which providers are subject to the TSA 2021?

The TSA 2021 applies to all providers of public electronic communications networks and public electronic communications services as defined in the Communications Act 2003. This includes fixed and mobile network operators, internet service providers, VoIP providers, and providers of over-the-top communications services where those services fall within the statutory definition. The ECSM Regulations introduce a tiered compliance framework based on annual relevant turnover, with Tier 1 providers (turnover above GBP 1 billion) subject to the most stringent requirements and shorter implementation timescales.

What is the TSA Code of Practice?

The Code of Practice is guidance issued by the Secretary of State under section 105E of the Communications Act 2003 (as inserted by the TSA). It sets out the technical measures that the Government considers appropriate for providers to comply with their security duties. The Code covers network architecture, access controls, supply chain security, security monitoring, incident response, and governance. While the Code is not legally binding, Ofcom may have regard to it when assessing whether a provider has complied with its security duties, and deviation from the Code will require the provider to demonstrate that equivalent security outcomes have been achieved by alternative means.

What are the penalties for non-compliance with the TSA?

Ofcom may impose financial penalties of up to 10% of relevant turnover for contravention of the security duties in the TSA, or up to GBP 100,000 per day for continuing contraventions. Ofcom may also issue enforcement notifications requiring the provider to take specific steps to remedy the contravention. For designated vendor directions, the Secretary of State may impose penalties for non-compliance with the direction. The penalty regime is designed to incentivise prompt compliance, and Ofcom has indicated that it will take a proportionate but firm approach to enforcement.

How does the TSA interact with the NIS Regulations?

The Network and Information Systems Regulations 2018 (NIS Regulations) apply to operators of essential services and relevant digital service providers. For telecoms providers, the TSA 2021 is the primary security regime, and Ofcom is the competent authority. However, where a telecoms provider also operates infrastructure that falls within the scope of the NIS Regulations (for example, as an operator of essential services in the energy or transport sectors), it may be subject to both regimes. The Government has indicated that the TSA framework is intended to be at least equivalent to the NIS requirements for the telecoms sector, but providers with cross-sector operations should map both sets of obligations.

Related telecoms regulation pages

See also our other telecoms regulation pages:

Why Choose Bratby Law?

Over 30 years advising at the intersection of regulation, technology and commercial strategy, including experience at the UK telecoms regulator, in-house and in private practice in London and Singapore.

Clear advice grounded in the commercial context, helping clients make informed, defensible decisions.

City-quality advice without City overhead, with transparent pricing and predictable engagement models.

We work effectively with internal legal teams, boards, consultants and other advisers, whether leading a matter or fitting into a wider team.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

  • Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
  • The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
  • Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology
Chambers and Partners accreditation
Legal 500 accreditation

What clients say about Bratby Law:

  • “…one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in.”

    “I worked with Rob over many years whilst I was at Orange. He is one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in. Most notably he provided first class support to me and my team on a high profile / high value joint venture network sharing deal. His ability to see both the detail and the bigger strategic picture were enormously helpful.”
    Amanda Doyle
    (Former) General Counsel, Orange UK

  • “I would highly recommend Rob and his team.”

    “I have had the pleasure of working with Rob now on a number of occasions and engagements with clients. Rob is one of the most knowledgeable people I have come across in the Telecommunications industry, both in his comprehensive understanding of the law for various countries and in the application of this law and what it means for Operators. This is complemented by his generosity with sharing his knowledge, and the friendly style with which he works. I would highly recommend Rob and his team.”
    Nick White
    (Former) Deloitte

  • “I would recommend Rob for any major Telecoms project”

    “I worked with Rob to introduce One Touch Switching for broadband and fixed voice, which launched successfully with almost two million customers using the service to date. Rob is a first class Legal Counsel with exceptional legal and regulatory knowledge enabling him to give insightful strategic guidance to the ExCo and the Board. He is highly trusted by Directors and easy to work with. I would recommend Rob for any major Telecoms project.”
    Toby Lovell
    (Former) Chief of Staff, The One Touch Switching Company

Related Services

We advise on the broader UK telecoms regulatory framework, including:

See also: Operational Resilience and DORA.

Telecoms security